Posted
by
Zonk
on Friday July 14, 2006 @06:39PM
from the can't-please-anyone dept.

conJunk writes "Security Focus has an article about HD Moore's Exploit-Every-Day-in-July endeavor raising the hackles of both browser vendors and criminals. He started the project because he felt that vendors were not taking his analysis seriously enough, but he appears to be the only one enjoying it. 'Black Hats' are having their exploits exposed, and Microsoft (who bears responsibility for the majority of the browser holes) can't keep up with the pace he's setting." From the article: "The software giant indirectly criticized the release of vulnerabilities in a statement to SecurityFocus, underscoring the importance of getting customers updated before they are exposed to threats from malicious attackers. 'Microsoft continues to encourage responsible disclosure of vulnerabilities,' the software giant said in a statement sent to SecurityFocus. 'We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests.'"

Wow, talk about some FUD. Of the 14 vulns so far 10 are NULL pointer dereferences. HD must be really desperate for publicity if he's trying to pump these up as legitimate security vulns. I mean, you can argue that a server crash is a DoS, but crashing a browser? Get real.

No, that's a stability problem. If the browser crashed the OS, I could see that being an issue, but lets get real, no one will remotely crash the browser just for shits and giggles because it's just dumb and a waste of time. Crashing an application is not a security issue unless the application is critical such as a webserver, database, etc.

I dunno - it didn't take me long to crash not just Firefox but also take out my X session with it (using one of the browser-fuzzing tools, mangleme). Now *that's* a major PITA - not quite as bad as crashing the OS, but nearly so on a desktop system...

For those of you who like to read articles in 1 single page instead of multiple pages to maximise advertising revenu.

Do you hate corporations so much that you need to make sure they make as little money as possible? If you don't want to see the ads, don't read the article. If you want to read the article, don't look at the ads.

Do you hate corporations so much that you need to make sure they make as little money as possible?

The corps that are still in business and not 'bookcooking' are essentially doing fine. Whatever costs they have that they won't eat and/or write off on their taxes take the form of higher prices.

Case in point

When Coca-Cola first came out, you could get a small glass of it for a nickel if I'm not mistaken. Now, one costs $1.00 from a vending machine (granted its likely 20z). Why the ridiculous price increase?

Not far from the truth at all. In their mind, every reported vulnerability serves to give customers an impression that IE is riddled with security problems. No matter that the damage is already done. If they looked at what's on a typical home Windows system, they'd know that already.

Here are the responses from the different browsers after recieving vulnerability reports:

Firefox: Fixed now, but when you install the new version for the fix, all your extensions won't work.Opera: We didn't have to fix it, it was a non-standard that everyone wanted bet we didn't impliment it because it might have broken an actual standard.IE: The problem is with the people that report vulnerabilities. It's much more efficient to wait until someone writes and exploit before patching.

'Microsoft continues to encourage responsible disclosure of vulnerabilities,' the software giant said in a statement sent to SecurityFocus. 'We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests.'"

Yep. Too bad each and every one of these vulnerabilities has already long since been reported to Microsoft... which is hinted at by the correction at the bottom of the article:

CORRECTION: The article's discussion of Peter Swire's paper and position was clarified to stress that he believes proper disclosure involves first notifying the vendor, giving them time to fix the issue and then releasing vulnerability information.

Quoting the Microsoft "position" seems like a very odd choice for a story submission, without also giving the information that every one of these vulnerabilities has already been reported. Microsoft is simply sitting on their thumbs and not fixing them as usual; also as usual, they don't want the vulnerabilities published because this is made obvious.

Ok, this does seem strange, but brings more questions for myself...First, lets assume he is reporting these to Microsoft in a responsible way...

With that said, who is he to 'determine' the 'timeline' for the fix? What if the bug or exploit affects a vast amount of code and third party applications? Does he get to hold the industry hostage becuase he didn't get the 'timeline' response or fix from Microsoft 'he' expects, when he knows nothing of what the bug or exploit might entail?

This borders on yelling fire in a theater, because it isn't the theater owner that is getting hurt, it is the people getting trampled in the aisles

The problem is, that, using your stretched metaphor, there is a fire smoldering in the back of the theater, and nobody is aware. Sure, first thing you do is call the fire department, but you don't wait for them to put the blaze out in order to notify people.

To construct a better metaphor: Would you tell someone if a pickpocket were stealing their wallet? Or would you call the police first?

These kinds of holes are not only found by the 'white hat' security researchers... Odds are good that if he's found a hole, others have as well, and are misusing it.

Nah to stretch the original metaphor... HD Self-Promoter sees a situation in the theatre that under the proper conditions that won't pop up in normal operations of the theatre would start a fire. So he decides to demonstrate that he is correct about this by burning the theatre to the ground.

Nice rhetoric, but you neglect the fact that "normal operations" on the Internet includes operating in an adversarial environment. There is no reason why Microsoft or anyone else should get special treatment regarding the public disclosure of vulnerabilities. As a competitor to Microsoft, if my computer is vulnerable to executing arbitrary code, I don't want to have to trust that Microsoft won't exploit that vulnerability to further its own ends, nor do I want to have to trust that Microsoft employees won't leak the information to malevolent third parties. Instead, I want to know now that my software is vulnerable, so that I can take the necessary precautions.

nor do I want to have to trust that Microsoft employees won't leak the information to malevolent third parties.

I applaud this patriot. He's identifying breaches in our national security infrastructure which is being exploited by malevolent international organizations. This is a demonstrably greater threat to our national security (recent state department break-ins [cnn.com]) than our porous southern border or our domestical phone call traffic.

Microsoft's foot-dragging on repairing these weaknesses is endangering

If he 'had' the knowledge of all the downlevel code and testing to fix exploits that MS must undertake for each exploit, then sure he should be making the timeline call, but if the bug is more serious than what 'he' even may realize, it is still the Vendor that should have the say on publishing this information unless the person finding the 'exploit' can offer a credible fix, solution, or way to safe guard consumers.

I disagree. Given that the EULA apparently allows software developers to eliminate all their liability for holes in their software, users should be very careful about who they get their software from. If a vendor can constantly be shown to leave big holes in their software, and people actually suffer loss due to said holes, then that vendor will lose all business. I believe that Microsoft would either be gone or releasing only [relatively] secure software if we had immediate release of vulnerabilities.

I further believe that the only reason Microsoft doesn't want the vulnerabilities released is that they will have to actually motivate their sorry asses and release the patches in a timely fashion, which means they can't distribute them to Microsoft Select customers first as they always have done, which means they will likely have fewer Select subscribers. Which serves them right, those assholes.

What are your opinions 'bias aside' on a single entitiy making decisions for vendors and consumers that they probably are not in a position to make?

Clearly they are in a position to make it, because they have the information on the vulnerability:)

Personally, I really, honestly believe that all vulnerabilities should simply be reported to the world at large. It would encourage vendors to use best security practices, and they would not be able to simply hide their head in the sand.

Currently Microsoft does not utilize best practices - we're constantly finding vulnerabilities in new products that are due to the same old stupid crap like buffer overflows. Why coddle them?

Currently Microsoft does not utilize best practices - we're constantly finding vulnerabilities in new products that are due to the same old stupid crap like buffer overflows. Why coddle them?

Ok, then.

Name an Operating System vendor that doesn't have any buffer overflows found! Even the much-beloved Open-BSD had one reported not so long ago, despite what I feel is the best effort possible to eliminate them, and despite limiting the scope of the operating system so much it's a mental strain to consider it an

With that said, who is he to 'determine' the 'timeline' for the fix? What if the bug or exploit affects a vast amount of code and third party applications?

And who is Microsoft to 'determine' when he is or is not allowed to notify the world of this? What if the author has knowledge that people are falling victim to this vulnerability?

So if MS doesn't meet his timeline, then the consumers and industry gets screwed and put at risk.

Customers and industry are already at risk from the vulnerabilities themselves, and these vulnerabilities may already be in use by criminals. Indeed the summary suggests that this is the case.

I'm not saying he's right and Microsoft is wrong, but this isn't a simple issue. A combination of factors have left some sour tastes in people's mouths regarding Microsoft's current security practices. Microsoft's security advisories have become very terse/boilerplate with little or no details about what the vulnerability actually is. Their demand that people report the vulnerabilities in very specific ways (e.g. no proof of concept exploits, etc) in order to receive acknowledgement in the advisory is another. Add to this the fact it often takes months and months to get a patch to a reported vulnerability means that people are again thinking that Microsoft doesn't care about security other than as a bulletpoint on their sales literature.

He is the person that reported it. I have never reported a problem to MS, but if they handle it like I expect (after dealing with other places that I've reported problems), I would expect that they take the information, toss it in the "we'll look at it" bucket, and ignore the person that reported it. If they want him to wait on reporting it, they should give him a reason. Perhaps something as simple as "we've had this reported before,

This is both a response to you and the post above...This brings up another issue. MS is big... All it takes is one bad person to take the report, read the bug/report or email and the report isn't going anywhere.

I have dealt with similar issues, as everyone here has, with every company. Whether it be customer service, to sales, to beta testing. Get the wrong moron on the other end of the phone or your email and the problem never gets addressed.

No it is just another form of journalism, and parties that are made to look bad by inconvenient details want to make it as contentious as reporting on wars. Obsurity has not worked, and going after the people that point out that MS or others have problems is not giving comfort to some sort of enemy because the people vunerable to the flaws can also do something about it even if there is no patch available yet. Why should the script kiddies and two or three guys at

With that said, who is he to 'determine' the 'timeline' for the fix? What if the bug or exploit affects a vast amount of code and third party applications? Does he get to hold the industry hostage becuase he didn't get the 'timeline' response or fix from Microsoft 'he' expects, when he knows nothing of what the bug or exploit might entail?

The hackers and the software firms wrestled with this throughout the last half of the 1990s. They came to an uneasy truce somewhere around 2000 and decided that 30 da

That 30 days is a polite guideline: but given Microsoft's strong history of ignoring some very deep holes, for months if not years, groups that collect such vulnerabilities and report them are in a very bad position. CERT, for example, has at least 3 severe vulnerabilities, at least 6 months old, that I read copies of the reports for when submitted. They can't publish because they won't publish without Microsoft's approval, so the holes remain unacknowledged and probably unpatched.

This borders on yelling fire in a theater, because it isn't the theater owner that is getting hurt, it is the people getting trampled in the aisles...

And when there is a fire, how irresponsible is it to not yell fire?

Furthermore the justification behind the ruling in question was unusually weak. There is a very good reason that one must not falsely yell "Fire!" in a crowded theatre, which has nothing at all to do with "necessary" restrictions on free speech: it infringes on an agreement (contract) m

Even if speech itself is considered inalienable and cannot be legally prevented by a contract (as is my view), the contract can certainly impose fines for specific kinds of speech, because property is alienable. The fine is merely a conditional transfer of property rights; the condition can be anything the other party will agree to.

I would like to point out that a contract can't actually prevent anything; all it can do is assign penalties for certain actions. A piece of paper is completely unable to sto

Microsoft 'should' also be keeping proper dialog with people that report these exploits, but that does not give one individual the 'button' to nuke MS when they don't jump on a fix as fast as the person wants, he is only screwing the consumers, not MS other than giving them bad press.

Huh? It sure does. He found the vulnerability, it's his to disclose. (Unless of course Congress has made that illegal this week...)

I think the software vendors are forgetting something: giving them an advance warning of the pen

With that said, who is he to 'determine' the 'timeline' for the fix? What if the bug or exploit affects a vast amount of code and third party applications?

Tough. The jackasses who have been peddling broken software for years, making phony claims about its "security", are the ones to blame.

News flash: The software was always vulnerable to these attacks. Blaming the guy who publishes exploits (with source code) is like blaming the auditors for disclosing your accounting fraud. Your books were cooked re

With that said, who is he to 'determine' the 'timeline' for the fix? What if the bug or exploit affects a vast amount of code and third party applications? Does he get to hold the industry hostage becuase he didn't get the 'timeline' response or fix from Microsoft 'he' expects, when he knows nothing of what the bug or exploit might entail?

You discount the fact that the "fix" doesn't have to be a Microsoft patch, it might simply be a customer turning off a service or closing off a port that previously looked

Reading http://browserfun.blogspot.com/ [blogspot.com] [blogspot.com], it looks like he submitted these on March 6. He is publically reporting them in July. That's three months.

Ok, but don't you think 3 months could even be a little short?

Take the distribution cycle of an average product. (Think outside MS for a second and imagine getting updates out to clients? Ouch.) Ok, back to Microsoft, even with Microsoft's Update Site and Automation, the rollout of an update like this would be a couple of weeks for users that were

No. 3 months is _way_ too long.The standard used to be notify the vendor and wait forever. Vendors never fixed anything. Bugtraq and other security lists implemented a "full and immediate disclosure" policy, and bugs started getting fixed.

Lately, full and immediate has been pushed back to full and one month. That's a compromise so that in the unlikely event that hackers aren't already exploiting the bug it can be fixed by responsible companies before they get a chance to do so.

". . . this gives MS two months to find the exploit . .."You mean that -- "in the real world" -- Microsoft needs two months to find an exploit *after* someone reports it to them?

OK, that was facetious, but your argument refers to "the exploit" (singular) when the geek community's ire is over the average time for MS to respond to the *thousands* of exploits found over the years. Why do you restict your argument to the (relatively) few bugs for which that amount of time is actually justified?

Well, I'm not just a Slahdot poster, I'm also someone who makes purchasing decisions for my company; and *I* say that one day of vulnerability for my production machines is one day too many. The customer has spoken.

Ok, enjoyed your humor and all...

However, if this is your baseline for your systems, a product doesn't exist that will 'always' meet this requirement.

If you factor in the timeline and statistics, chances are no matter what routers you are using, what OSes you are using, there are probably 20-50 e

...Also note that "This common accepted practice " of only telling the vendor is ONLY MICROSOFTS preference.The nets historically accepted method is broadcasting to the world, via bulletins on a security related (but "open") mailing list,preferably with example exploit code. (Sometimes code witheld/only sent to vendor until reporter finds someone who cares)

Think about it; if a PC gets exposed to viruses or malware, the average Joe will either A: buy a new version of Nortan, or just not realise it untill the PC fails to boot in under 10 minutes at which point they just buy a new one, which means by default, another license for Winodws that isnt really needed, but Redmond gets the $$$ non-the-less...

Co-incidentally, today I talked to a person who was asking whether they need to buy a new PC because a virus has stopped their PC from booting. Whether or not a virus was too blame or faulty hardware, it doesn't matter. This Joe Sixpack was ignorant enough to think that a virus destroyed OS = need for new computer.

From the looks of it, most if not all of those were reported months before they were published.

Give a vendor 90 days. If they fix it, never, ever release the details of how to exploit the vulnerability, as a reward and to help users who are slow to update. But if they willfully choose not to fix it, release the exploit to educate their userbase, and to help them to reevaluate their dangerous security policy.

I'd give the vendor a week at most, and that's being generous. And always release full details anyway. That's a lot of systems that could be getting broken into during those 90 days. If you know how to exploit something, making a program to do it automatically is a question of hours.

No, because if you never make the exploit public that doesn't mean that the black-hats won't know about it. And the 'slow to update' users will be vulnerable without ever knowing it.

Hell, publish it with the note that if they don't patch this vulnerability then a black-hat can break into their computer and use it to steal all their money from their bank _and_ rape their puppy! Maybe that will help them to be less 'slow' to update.

Besides, especially for Microsoft exploits... the moment I have time to share any info on something I found, I do. This is in part becuase of my lack of admiration for the company, and any bane for them is a gleeful gain for me. Come to think of it, I never contacted Microsoft to report anything remotely construed as intent for improvement; save one instance where I did specifically contacted Microsoft presenting just one reason why I would never condone the use of their Server Operating Systems for even casual use, and they opened up dialog even. But, I think they could tell, I wasn't their friend.

Bottom line here, is what is 'responsible' exploit exposure? Noone really has a hardened explanation. Companies would love for thier ideas governing exposure, basically it affords them the ability to flip the bird at one person (the discoverer) and hope noone else see's it; which is, the most likely scenerio becuase we all know, captialists think like this--'is it cost effective to address this bug? Is it cheaper to pay editors to belittle the effect of IE crashing by using phrases such as "[bugs within IE] MERELY causing IE to CRASH"?'.

Is it really responsible to notify the vendor first? Inherent to proprietary business interests, denial is an all too common tactic and if they want to sue you, they could even to suffer an obvious loss just to introduce you to the ringer. Or, is it more responsible to out right give full details to the first person you see on the street? I say, in regards to consumer business, it's much more effective and therefore responsible should you post all exploits, with details and working examples the moment you are able to muster the content and activate the 'Send' command. This approach is akin to starting a fire underneath the perverbial ass. Why give a company an option? Force them to live up to their end of the deal; deal being that you paid for a product, as advertised and within reasonable expectation of operation. There is no option to fix or not to fix a bug that crashes an application, it must be fixed; while this is the tendancy in the Open Source area, it is a philosophical obligation for a company.

So, light those fires is what I say. I think it's ridiculous that many exposing exploits do not give details and working example code, or some sites that do have that culture require registration and are less in the spotlight.

You notice that your neighbor often leaves his patio door unlocked when he leaves for work, so you kindly leave him a note, so that in the future he may avoid being harmed. All is well.

This is not an even slightly similar situation to your example.

If you can explain to me who in this example is Microsoft, I'll be seriously fucking impressed, because you didn't even include them.

Now, what WOULD be a good example is if you noticed that your neighbor's patio door didn't lock properly, and you found another of the same model, and noticed it didn't lock properly either, then you got that information out to the general populace. On one hand, it would inform burglars that those doors were easy to get through, but on the other, people who had that kind of door could be informed, and take steps to correct it.

Where does this analogy break down? There's a zillion places you can look to find security vulnerabilities, and most any of them that are worth anything are effectively equivalent, they all have the same vulnerabilities within a few days. There is no clearing house for patio door security information.

Still, it makes dramatically more sense than the bullshit you spouted.

Also, Microsoft has a shit security record miles long. Expecting Microsoft to release stable, secure software is like expecting the Pope to open an abortion clinic. By the same token, it's like someone today buying a Yugo. We all know they're utter, complete shitboxes, that will actively cost you money - they're not worth getting for free. Why would you do it? Granted, I do use Microsoft software, but I know it's insecure, so I make sure to take more care than I would were I on Linux or something.

Finally, people learn from mistakes. If they are losing their data because they went with Microsoft, Microsoft will eventually suffer. It's a shame that people can't do some basic research and find out that Microsoft is awful, but that's their own fucking fault. People who would do tons of research before buying a car will do absolutely none before buying a computer, and then wonder why they have problems. I am not responsible for their willful stupidity. Or yours.

Let's say there's another OpenSSH (to remove MS angle) vulnerability. Somebody announces it:1. Somebody finds a vulnerability and makes it public2. I block SSH port immediately3. Mail everybody who uses it: SSH has a vulnerability, mail/call me with your IP address and I'll make an exception4. Now I can relax a little, read the security advisory, run tests, and patch SSH. Most exploits involve very straightforward patches.5. Test patch (obviously)6. Remove SSH port block7. Everything is back running, and all is well. Some time later I get the vendor-provided bugfix (updated package in Debian or whatever)

Now your version:1. Somebody finds a vulnerability and only reveals it to the vendor. Vendor sits on their asses for a month2. Since I don't know anything, I can't take any action3. Two weeks later, some jerk roots the box4. Yay, now I have to take the box offine, examine it, restore from backups.5. Oops, I forgot, I still have to protect it against a vulnerability there's still no information about!6. Bring box back online, without being really sure I won't get rooted again7. If I'm lucky, some time later, the vendor's patch arrives.

Why isn't there a SUPERPLUSGOOD for clean, crisp comments this one vadim_t posted. That pair of examples could summarize the best of all the best comments on this thread.But, yeh, if it IS provable that the guy indeed notified ms, then, with their EIGHT BILLION or more per year in R&D or whatEVER the hell it is they throw around that money on, they OUGHT to be forced to keep pace. If Open Source can do it with pennies and sweat, then ms should NOT be allowed to let its customers be shafted.

First of all, its more like holding a chalupa upside down on a hot day while your friend holds a icecream cone upside down on a hot day...don't you think you should tell your friend "Hey, upside down icecream has a heat vulnerability"

Excellent description of the problem, but I don't see why so many people shout about "MS shouldn't be allowed to get away with this". Yes, yes they should...because you bought their products, you agreed to the stuff that said "We might support you if we want". You agreed to

So, in your analogy, is your neighbor supposed to be MicroSoft, or everyone running IE?Who are the people who suffer if the door is unlocked? And who has the capability to lock the door?A better analogy would be:Your neighborhood all gets their locks from one vendor. You find out that someone can make a key that works in every one of those locks. You inform your vendor of the problem.Meanwhile, someone could be running around stealing things from people's homes because of these locks. Your vendor sits o

I feel that there's not enough being done to curb gun violence here in Oakland Ca. So I'm going to shoot one person a day, every day, for the month of July. Any reports that I'm enjoying it are exaggerations.

I feel that there is not enough being done about stupid legislators. So I'm going to pass a stupid law a day, every day, for the month of July. Any reports I'm getting huge checks under the table are lies.

> I feel that there's not enough being done to curb gun violence here in Oakland Ca. So I'm going to shoot one person a day, every day, for the month of July. Any reports that I'm enjoying it are exaggerations.

(Not to put a downer on your funny post but...)

...it's more like "So I'm going to report every murder on the TV news, for everyone to see, until people get so fed up with seeing it every night, that they pressure the Oakland Police (who, just as Microsoft has a legal monopoly on its own sourc

This is more a situation of, "I feel there's not enough being done to curb gun violence in Oakland, CA, so every day in July I'm going to disclose to the public one case of a cop failing to prosecute a known black market arms dealer, felon in posession of a firearm, or murderer, because it wasn't convenient for the Police Department's schedule."

It's more like publishing the names and addresses of child molesters: the molesters don't want you to publish their names, the police often don't want to publish the names because it can screw up their pending court cases or prosecutions, but leaving the molesters alone will certainly not stop them or protect anyone.

1) warn the vendor ASAP2) warn the security community within a week, immediately if the vendor has no objections3) as soon as there is an exploit that represents a real threat:
a) give all details to the security community
b) give a workaround, like "disable such and such service," to the general public.

First, this process does not protect the user, it is merely a PR thing for the vendor. While I feel for the vendor, wish to give them adequate time to correct the problem, history tells us that this sympathy backfires. Here is the normal drill. If a venerability gets reported, but there is no exploit "in the wild", then the venerability gets less priority. This is fine because the exploitable code needs to fixed first. But then later o

Waiting is just letting the crackers have more time before things hit the fan. Security shouldnt be something you slap on like bandaid afterwards. Before exploits are being "found" by security vendors and researchers they are often being actively used by crackers. Security vendors then buy the exploits and sell the information to their customers.

So, shedding light on these security problems "irks" some vendors. How about the sysadmins and users who are stuck wasting their time patching problems that should have been fixed months ago, or before release? What about people who have had data compromised or destroyed by exploits brought to the public eye in this report?

While I realize that many of these bugs are not critical security issues, my hat is off to Moore for having the rocks to continue his effort in the face of "irked" vendors and hax0rs. P

I used to be a linux fan. never really stopped, but life didn't let me pursue it for a while. now i'm admin of a linux-based phone switch (eOn's equeue) and these alerts suddenly concern me. fact is, i don't even have root. it's menu-based, you can get a shell but su doesn't work. the eOn techs are the ones responsible for root tasks, and i'm not sure they're going to handle this promptly.

in addition, it's making me have some slight apprehension regarding my plan to put a couple linux machines in th

in addition, it's making me have some slight apprehension regarding my plan to put a couple linux machines in the systems room at work. be a bit embarrassing if the new guy's machines got owned.

New Windows machines get owned too but I don't think that is exactly your concern. Any alternative has to be outrageosly superior to whatever established way of doing things is being replaced. The various ways that Windows machines can malfunction are common experiences to many and after long conditioning somew

Blackhats have been doing this and other work like it for years. The current state of security is defined better by ignorance than by safety. Patching is a workaround, not a solution. To use an analogy: Patching means we built more hospitals in response to car crashes, instead of inventing air bags.

I'll enjoy the show. It's a very good demonstration that "oh, we'll fix whatever comes along as soon as we learn about it" is not a vi

So often we hear about worms that attack the net via vulnerabilities that have been around for months, and everyone screams at the vendor for being slow to patch.I've seen this suggested before and it's a simple idea. Give them three weeks. Send it to the bat-phone or whatever the vendor has. Three weeks later, post it somewhere nice and public - a forum for the discussion of existing unpatched vulnerabilities. Post it regardless of whether or not a patch is available.